From c1f22985d482fc08e2be68e97f67f9242673ad4c Mon Sep 17 00:00:00 2001 From: David Reinhart Date: Thu, 27 Jul 2023 14:48:24 -0700 Subject: [PATCH 1/4] Adding row level security policies --- .../consensus-genome/access-role-rls.sql | 17 +++++++++++++++++ .../genomic-sequence/access-role-rls.sql | 17 +++++++++++++++++ .../deploy/warehouse/sample/access-role-rls.sql | 17 +++++++++++++++++ .../sequence-read-set/access-role-rls.sql | 17 +++++++++++++++++ .../consensus-genome/access-role-rls.sql | 14 ++++++++++++++ .../genomic-sequence/access-role-rls.sql | 14 ++++++++++++++ .../revert/warehouse/sample/access-role-rls.sql | 14 ++++++++++++++ .../sequence-read-set/access-role-rls.sql | 14 ++++++++++++++ schema/sqitch.plan | 6 ++++++ .../consensus-genome/access-role-rls.sql | 5 +++++ .../genomic-sequence/access-role-rls.sql | 5 +++++ .../verify/warehouse/sample/access-role-rls.sql | 8 ++++++++ .../sequence-read-set/access-role-rls.sql | 7 +++++++ 13 files changed, 155 insertions(+) create mode 100644 schema/deploy/warehouse/consensus-genome/access-role-rls.sql create mode 100644 schema/deploy/warehouse/genomic-sequence/access-role-rls.sql create mode 100644 schema/deploy/warehouse/sample/access-role-rls.sql create mode 100644 schema/deploy/warehouse/sequence-read-set/access-role-rls.sql create mode 100644 schema/revert/warehouse/consensus-genome/access-role-rls.sql create mode 100644 schema/revert/warehouse/genomic-sequence/access-role-rls.sql create mode 100644 schema/revert/warehouse/sample/access-role-rls.sql create mode 100644 schema/revert/warehouse/sequence-read-set/access-role-rls.sql create mode 100644 schema/verify/warehouse/consensus-genome/access-role-rls.sql create mode 100644 schema/verify/warehouse/genomic-sequence/access-role-rls.sql create mode 100644 schema/verify/warehouse/sample/access-role-rls.sql create mode 100644 schema/verify/warehouse/sequence-read-set/access-role-rls.sql diff --git a/schema/deploy/warehouse/consensus-genome/access-role-rls.sql b/schema/deploy/warehouse/consensus-genome/access-role-rls.sql new file mode 100644 index 000000000..fe0cf2f28 --- /dev/null +++ b/schema/deploy/warehouse/consensus-genome/access-role-rls.sql @@ -0,0 +1,17 @@ +-- Deploy seattleflu/schema:warehouse/consensus-genome/access-role-rls to pg + +begin; + +alter table warehouse.consensus_genome + add access_role regrole; + +create policy consensus_genome_rls + on warehouse.consensus_genome + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.consensus_genome + enable row level security; + +commit; diff --git a/schema/deploy/warehouse/genomic-sequence/access-role-rls.sql b/schema/deploy/warehouse/genomic-sequence/access-role-rls.sql new file mode 100644 index 000000000..f6db83c7b --- /dev/null +++ b/schema/deploy/warehouse/genomic-sequence/access-role-rls.sql @@ -0,0 +1,17 @@ +-- Deploy seattleflu/schema:warehouse/genomic-sequence/access-role-rls to pg + +begin; + +alter table warehouse.genomic_sequence + add access_role regrole; + +create policy genomic_sequence_rls + on warehouse.genomic_sequence + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.genomic_sequence + enable row level security; + +commit; diff --git a/schema/deploy/warehouse/sample/access-role-rls.sql b/schema/deploy/warehouse/sample/access-role-rls.sql new file mode 100644 index 000000000..1a0eea295 --- /dev/null +++ b/schema/deploy/warehouse/sample/access-role-rls.sql @@ -0,0 +1,17 @@ +-- deploy seattleflu/schema:warehouse/sample/access-role-rls to pg + +begin; + +alter table warehouse.sample + add access_role regrole; + +create policy sample_rls + on warehouse.sample + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.sample + enable row level security; + +commit; diff --git a/schema/deploy/warehouse/sequence-read-set/access-role-rls.sql b/schema/deploy/warehouse/sequence-read-set/access-role-rls.sql new file mode 100644 index 000000000..c11a52bcc --- /dev/null +++ b/schema/deploy/warehouse/sequence-read-set/access-role-rls.sql @@ -0,0 +1,17 @@ +-- Deploy seattleflu/schema:warehouse/sequence-read-set/access-role-rls to pg + +begin; + +alter table warehouse.sequence_read_set + add access_role regrole; + +create policy sequence_read_set_rls + on warehouse.sequence_read_set + for all + to public + using (access_role is null or pg_has_role(current_user, access_role, 'usage')); + +alter table warehouse.sequence_read_set + enable row level security; + +commit; diff --git a/schema/revert/warehouse/consensus-genome/access-role-rls.sql b/schema/revert/warehouse/consensus-genome/access-role-rls.sql new file mode 100644 index 000000000..23738f4bb --- /dev/null +++ b/schema/revert/warehouse/consensus-genome/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/consensus-genome/access-role-rls from pg + +begin; + +alter table warehouse.consensus_genome + disable row level security; + +drop policy consensus_genome_rls + on warehouse.consensus_genome; + +alter table warehouse.consensus_genome + drop column access_role; + +commit; diff --git a/schema/revert/warehouse/genomic-sequence/access-role-rls.sql b/schema/revert/warehouse/genomic-sequence/access-role-rls.sql new file mode 100644 index 000000000..6e955efc7 --- /dev/null +++ b/schema/revert/warehouse/genomic-sequence/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/genomic-sequence/access-role-rls from pg + +begin; + +alter table warehouse.genomic_sequence + disable row level security; + +drop policy genomic_sequence_rls + on warehouse.genomic_sequence; + +alter table warehouse.genomic_sequence + drop column access_role; + +commit; diff --git a/schema/revert/warehouse/sample/access-role-rls.sql b/schema/revert/warehouse/sample/access-role-rls.sql new file mode 100644 index 000000000..477c186ce --- /dev/null +++ b/schema/revert/warehouse/sample/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/sample/access-role-rls from pg + +begin; + +alter table warehouse.sample + disable row level security; + +drop policy sample_rls + on warehouse.sample; + +alter table warehouse.sample + drop column access_role; + +commit; diff --git a/schema/revert/warehouse/sequence-read-set/access-role-rls.sql b/schema/revert/warehouse/sequence-read-set/access-role-rls.sql new file mode 100644 index 000000000..47bdf0d62 --- /dev/null +++ b/schema/revert/warehouse/sequence-read-set/access-role-rls.sql @@ -0,0 +1,14 @@ +-- Revert seattleflu/schema:warehouse/sequence-read-set/access-role-rls from pg + +begin; + +alter table warehouse.sequence_read_set + disable row level security; + +drop policy sequence_read_set_rls + on warehouse.sequence_read_set; + +alter table warehouse.sequence_read_set + drop column access_role; + +commit; diff --git a/schema/sqitch.plan b/schema/sqitch.plan index 8a2901c5b..ee9d70808 100644 --- a/schema/sqitch.plan +++ b/schema/sqitch.plan @@ -243,3 +243,9 @@ functions/mint_identifiers 2022-07-15T22:13:52Z Dave Reinhart # roles/identifier-minter/grants [roles/identifier-minter/grants@2022-07-25] 2022-07-28T19:05:20Z Dave Reinhart # Add execute permissions on mint_identifiers function to identiifer-minter @2022-07-28 2022-07-28T19:20:25Z Dave Reinhart # Schema as of 28 July 2022 + +warehouse/sample/access-role-rls 2023-07-27T19:39:54Z Dave Reinhart # Add column to store role name; Implement row-level security on sample table +warehouse/genomic-sequence/access-role-rls 2023-07-27T21:01:44Z Dave Reinhart # Add column to store role name; Implement row-level security on genomic_sequence table +warehouse/consensus-genome/access-role-rls 2023-07-27T21:13:41Z Dave Reinhart # Add column to store role name; Implement row-level security on consensus_genome table +warehouse/sequence-read-set/access-role-rls 2023-07-27T21:32:39Z Dave Reinhart # Add column to store role name; Implement row-level security on sequence_read_set table +@2023-07-27 2023-07-27T21:44:39Z Dave Reinhart # Schema as of 27 July 2023 diff --git a/schema/verify/warehouse/consensus-genome/access-role-rls.sql b/schema/verify/warehouse/consensus-genome/access-role-rls.sql new file mode 100644 index 000000000..3f3769eef --- /dev/null +++ b/schema/verify/warehouse/consensus-genome/access-role-rls.sql @@ -0,0 +1,5 @@ +-- Verify seattleflu/schema:warehouse/consensus-genome/access-role-rls on pg + +begin; + +rollback; diff --git a/schema/verify/warehouse/genomic-sequence/access-role-rls.sql b/schema/verify/warehouse/genomic-sequence/access-role-rls.sql new file mode 100644 index 000000000..812902791 --- /dev/null +++ b/schema/verify/warehouse/genomic-sequence/access-role-rls.sql @@ -0,0 +1,5 @@ +-- Verify seattleflu/schema:warehouse/genomic-sequence/access-role-rls on pg + +begin; + +rollback; diff --git a/schema/verify/warehouse/sample/access-role-rls.sql b/schema/verify/warehouse/sample/access-role-rls.sql new file mode 100644 index 000000000..5ae5eaa13 --- /dev/null +++ b/schema/verify/warehouse/sample/access-role-rls.sql @@ -0,0 +1,8 @@ +-- Verify seattleflu/schema:warehouse/sample/access-role-rls on pg + +begin; + + insert into warehouse.sample (identifier, access_role) + values ('__SAMPLE__', 'postgres'); + +rollback; diff --git a/schema/verify/warehouse/sequence-read-set/access-role-rls.sql b/schema/verify/warehouse/sequence-read-set/access-role-rls.sql new file mode 100644 index 000000000..4c8f6b769 --- /dev/null +++ b/schema/verify/warehouse/sequence-read-set/access-role-rls.sql @@ -0,0 +1,7 @@ +-- Verify seattleflu/schema:warehouse/sequence-read-set/access-role-rls on pg + +begin; + + + +rollback; From 68b0ec100a58c4e9f6bc65e33f7c0812a1dc3fa1 Mon Sep 17 00:00:00 2001 From: David Reinhart Date: Thu, 27 Jul 2023 15:46:06 -0700 Subject: [PATCH 2/4] Add security invoker to shipping views Adding security invoker to shipping views to enforce row-level security policies on the underlying tables. By specifying this option, the current user's permissions are applied rather than the default (view owner's) permissions. --- schema/deploy/shipping/views.sql | 4 +- schema/deploy/shipping/views@2023-07-27.sql | 67 +++++++++++++++++++++ schema/revert/shipping/views.sql | 22 ++++++- schema/revert/shipping/views@2023-07-27.sql | 47 +++++++++++++++ schema/sqitch.plan | 2 + schema/verify/shipping/views@2023-07-27.sql | 15 +++++ 6 files changed, 154 insertions(+), 3 deletions(-) create mode 100644 schema/deploy/shipping/views@2023-07-27.sql create mode 100644 schema/revert/shipping/views@2023-07-27.sql create mode 100644 schema/verify/shipping/views@2023-07-27.sql diff --git a/schema/deploy/shipping/views.sql b/schema/deploy/shipping/views.sql index 68e87c803..d7bbbda75 100644 --- a/schema/deploy/shipping/views.sql +++ b/schema/deploy/shipping/views.sql @@ -14,7 +14,7 @@ begin; -- there needs to be a lag between view development and consumers being -- updated, copy the view definition into v2 and make changes there. -create or replace view shipping.presence_absence_result_v1 as +create or replace view shipping.presence_absence_result_v1 with (security_invoker = true) as select sample.identifier as sample, target.identifier as target, @@ -39,7 +39,7 @@ grant select to "incidence-modeler"; -create or replace view shipping.presence_absence_result_v2 as +create or replace view shipping.presence_absence_result_v2 with (security_invoker = true) as select sample.identifier as sample, target.identifier as target, diff --git a/schema/deploy/shipping/views@2023-07-27.sql b/schema/deploy/shipping/views@2023-07-27.sql new file mode 100644 index 000000000..68e87c803 --- /dev/null +++ b/schema/deploy/shipping/views@2023-07-27.sql @@ -0,0 +1,67 @@ +-- Deploy seattleflu/schema:shipping/views to pg +-- requires: shipping/schema +-- requires: functions/array_distinct + +-- Hello! All shipping views are defined here. Rework this change with Sqitch +-- to change a view definition or add new views. This workflow helps keep +-- inter-view dependencies manageable. + +begin; + +-- This view is versioned as a hedge against future changes. Changing this +-- view in place is fine as long as changes are backwards compatible. Think of +-- the version number as the major part of a semantic versioning scheme. If +-- there needs to be a lag between view development and consumers being +-- updated, copy the view definition into v2 and make changes there. + +create or replace view shipping.presence_absence_result_v1 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v1 is + 'View of warehoused presence-absence results for modeling and viz teams'; + +revoke all + on shipping.presence_absence_result_v1 + from "incidence-modeler"; + +grant select + on shipping.presence_absence_result_v1 + to "incidence-modeler"; + + +create or replace view shipping.presence_absence_result_v2 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism, + presence_absence.details as details + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v2 is + 'View of warehoused presence-absence results for modeling and viz teams'; + +revoke all + on shipping.presence_absence_result_v2 + from "incidence-modeler"; + +grant select + on shipping.presence_absence_result_v2 + to "incidence-modeler"; + +commit; diff --git a/schema/revert/shipping/views.sql b/schema/revert/shipping/views.sql index dc03ad179..68e87c803 100644 --- a/schema/revert/shipping/views.sql +++ b/schema/revert/shipping/views.sql @@ -38,10 +38,30 @@ grant select on shipping.presence_absence_result_v1 to "incidence-modeler"; + +create or replace view shipping.presence_absence_result_v2 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism, + presence_absence.details as details + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v2 is + 'View of warehoused presence-absence results for modeling and viz teams'; + revoke all on shipping.presence_absence_result_v2 from "incidence-modeler"; -drop view shipping.presence_absence_result_v2; +grant select + on shipping.presence_absence_result_v2 + to "incidence-modeler"; commit; diff --git a/schema/revert/shipping/views@2023-07-27.sql b/schema/revert/shipping/views@2023-07-27.sql new file mode 100644 index 000000000..dc03ad179 --- /dev/null +++ b/schema/revert/shipping/views@2023-07-27.sql @@ -0,0 +1,47 @@ +-- Deploy seattleflu/schema:shipping/views to pg +-- requires: shipping/schema +-- requires: functions/array_distinct + +-- Hello! All shipping views are defined here. Rework this change with Sqitch +-- to change a view definition or add new views. This workflow helps keep +-- inter-view dependencies manageable. + +begin; + +-- This view is versioned as a hedge against future changes. Changing this +-- view in place is fine as long as changes are backwards compatible. Think of +-- the version number as the major part of a semantic versioning scheme. If +-- there needs to be a lag between view development and consumers being +-- updated, copy the view definition into v2 and make changes there. + +create or replace view shipping.presence_absence_result_v1 as + + select sample.identifier as sample, + target.identifier as target, + present, + organism.lineage as organism + + from warehouse.sample + join warehouse.presence_absence using (sample_id) + join warehouse.target using (target_id) + left join warehouse.organism using (organism_id) + where target.control = false; + +comment on view shipping.presence_absence_result_v1 is + 'View of warehoused presence-absence results for modeling and viz teams'; + +revoke all + on shipping.presence_absence_result_v1 + from "incidence-modeler"; + +grant select + on shipping.presence_absence_result_v1 + to "incidence-modeler"; + +revoke all + on shipping.presence_absence_result_v2 + from "incidence-modeler"; + +drop view shipping.presence_absence_result_v2; + +commit; diff --git a/schema/sqitch.plan b/schema/sqitch.plan index ee9d70808..4ed803514 100644 --- a/schema/sqitch.plan +++ b/schema/sqitch.plan @@ -249,3 +249,5 @@ warehouse/genomic-sequence/access-role-rls 2023-07-27T21:01:44Z Dave Reinhart # Add column to store role name; Implement row-level security on consensus_genome table warehouse/sequence-read-set/access-role-rls 2023-07-27T21:32:39Z Dave Reinhart # Add column to store role name; Implement row-level security on sequence_read_set table @2023-07-27 2023-07-27T21:44:39Z Dave Reinhart # Schema as of 27 July 2023 +shipping/views [shipping/views@2023-07-27] 2023-07-27T22:31:51Z Dave Reinhart # Add security invoker to shipping views for row-level security +@2023-07-28 2023-07-27T22:41:52Z Dave Reinhart # Schema as of 28 July 2023 diff --git a/schema/verify/shipping/views@2023-07-27.sql b/schema/verify/shipping/views@2023-07-27.sql new file mode 100644 index 000000000..136e6fc7e --- /dev/null +++ b/schema/verify/shipping/views@2023-07-27.sql @@ -0,0 +1,15 @@ +-- Verify seattleflu/schema:shipping/views on pg + +begin; + +select 1/(count(*) = 1)::int + from information_schema.views + where array[table_schema, table_name]::text[] + = pg_catalog.parse_ident('shipping.presence_absence_result_v1'); + +select 1/(count(*) = 1)::int + from information_schema.views + where array[table_schema, table_name]::text[] + = pg_catalog.parse_ident('shipping.presence_absence_result_v2'); + +rollback; From fdaa5dac74a3561d02101d0aba1a76767f68ac95 Mon Sep 17 00:00:00 2001 From: David Reinhart Date: Mon, 14 Aug 2023 14:03:26 -0700 Subject: [PATCH 3/4] Replace sqitch.conf with a template with customizable database URIs Databases are no longer directly accessible, and each environment may have connections to ID3C configured differently, so replacing hard coded URIs with placeholders. `sqitch.template.conf` should be copied to `sqitch.conf` and the database connection URIs should updated in that file prior to running sqitch commands. --- .gitignore | 2 +- sqitch.conf => sqitch.template.conf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) rename sqitch.conf => sqitch.template.conf (66%) diff --git a/.gitignore b/.gitignore index 9a7926300..c7465b27d 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ !/Pipfile.lock !/pytest.ini !/setup.py -!/sqitch.conf +!/sqitch.template.conf !/wsgi.py # and these directories diff --git a/sqitch.conf b/sqitch.template.conf similarity index 66% rename from sqitch.conf rename to sqitch.template.conf index 7d13770fc..6f7753493 100644 --- a/sqitch.conf +++ b/sqitch.template.conf @@ -18,10 +18,10 @@ target = dev [target "dev"] - uri = db:pg:seattleflu + uri = db:pg://@:/seattleflu [target "testing"] - uri = db:pg://testing.db.seattleflu.org/testing + uri = db:pg://@:/testing [target "production"] - uri = db:pg://production.db.seattleflu.org/production + uri = db:pg://@:/production From 05bb2353f958f226e2381f83f31ec7275d7ce960 Mon Sep 17 00:00:00 2001 From: David Reinhart Date: Fri, 18 Aug 2023 16:53:45 -0700 Subject: [PATCH 4/4] Revoke select permissions from reporter on receiving.consensus_genome and receiving.sequence_read_set --- .../revoke-select-on-receiving-consensus-genome.sql | 7 +++++++ .../revoke-select-on-receiving-sequence-read-set.sql | 7 +++++++ .../revoke-select-on-receiving-consensus-genome.sql | 7 +++++++ .../revoke-select-on-receiving-sequence-read-set.sql | 7 +++++++ schema/sqitch.plan | 4 ++++ .../revoke-select-on-receiving-consensus-genome.sql | 7 +++++++ .../revoke-select-on-receiving-sequence-read-set.sql | 7 +++++++ 7 files changed, 46 insertions(+) create mode 100644 schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql create mode 100644 schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql create mode 100644 schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql create mode 100644 schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql create mode 100644 schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql create mode 100644 schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql diff --git a/schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql b/schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql new file mode 100644 index 000000000..923464305 --- /dev/null +++ b/schema/deploy/roles/reporter/revoke-select-on-receiving-consensus-genome.sql @@ -0,0 +1,7 @@ +-- Deploy seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome to pg + +begin; + +revoke select on receiving.consensus_genome from reporter; + +commit; diff --git a/schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql b/schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql new file mode 100644 index 000000000..2177b3666 --- /dev/null +++ b/schema/deploy/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql @@ -0,0 +1,7 @@ +-- Deploy seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set to pg + +begin; + +revoke select on receiving.sequence_read_set from reporter; + +commit; diff --git a/schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql b/schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql new file mode 100644 index 000000000..0d92dabba --- /dev/null +++ b/schema/revert/roles/reporter/revoke-select-on-receiving-consensus-genome.sql @@ -0,0 +1,7 @@ +-- Revert seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome from pg + +begin; + +grant select on receiving.consensus_genome to reporter; + +commit; diff --git a/schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql b/schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql new file mode 100644 index 000000000..06f6f8160 --- /dev/null +++ b/schema/revert/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql @@ -0,0 +1,7 @@ +-- Revert seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set from pg + +begin; + +grant select on receiving.sequence_read_set to reporter; + +commit; diff --git a/schema/sqitch.plan b/schema/sqitch.plan index 4ed803514..0fe568688 100644 --- a/schema/sqitch.plan +++ b/schema/sqitch.plan @@ -251,3 +251,7 @@ warehouse/sequence-read-set/access-role-rls 2023-07-27T21:32:39Z Dave Reinhart < @2023-07-27 2023-07-27T21:44:39Z Dave Reinhart # Schema as of 27 July 2023 shipping/views [shipping/views@2023-07-27] 2023-07-27T22:31:51Z Dave Reinhart # Add security invoker to shipping views for row-level security @2023-07-28 2023-07-27T22:41:52Z Dave Reinhart # Schema as of 28 July 2023 + +roles/reporter/revoke-select-on-receiving-consensus-genome 2023-08-18T23:41:26Z Dave Reinhart # Revoke select permissions on receiving.consensus_genome from reporter. +roles/reporter/revoke-select-on-receiving-sequence-read-set 2023-08-21T17:02:31Z Dave Reinhart # Revoke select permissions on receiving.sequence_read_set from reporter. +@2023-08-21 2023-08-21T17:58:25Z Dave Reinhart # Schema as of 21 August 2023 diff --git a/schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql b/schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql new file mode 100644 index 000000000..6ce6c4221 --- /dev/null +++ b/schema/verify/roles/reporter/revoke-select-on-receiving-consensus-genome.sql @@ -0,0 +1,7 @@ +-- Verify seattleflu/schema:roles/reporter/revoke-select-on-receiving-consensus-genome on pg + +begin; + +select 1/(not pg_catalog.has_table_privilege('reporter', 'receiving.consensus_genome', 'select'))::int; + +rollback; diff --git a/schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql b/schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql new file mode 100644 index 000000000..dc69e4004 --- /dev/null +++ b/schema/verify/roles/reporter/revoke-select-on-receiving-sequence-read-set.sql @@ -0,0 +1,7 @@ +-- Verify seattleflu/schema:roles/reporter/revoke-select-on-receiving-sequence-read-set on pg + +begin; + +select 1/(not pg_catalog.has_table_privilege('reporter', 'receiving.sequence_read_set', 'select'))::int; + +rollback;